In this article

In this article

Office add-ins help you personalize your documents and streamline the way you access information on the web (see Start using your Office Add-in). As an Office 365 admin, you can deploy Office add-ins for the users in your organization. You can do this using the Centralized Deployment feature in the Office 365 admin center.

A Global admin can assign an add-in directly to a user, to multiple users via a group, or to everyone in the tenant.

When the relevant Office application starts, the add-in automatically downloads for the user. If the add-in supports add-in commands, the add-in automatically appears in the Ribbon within the Office application.

Add-ins will no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to.

Note

For Word, Excel and PowerPoint use a SharePoint App Catalog to deploy add-ins to users in an on-premises environment with no connection to Office 365 and/or support for SharePoint add-ins required. > For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Office 365. >

Recommended approach for deploying Office add-ins

Consider rolling out add-ins in a phased approach to help ensure your add-in deployment goes smoothly. We recommend the following plan:

Roll-out the add-in to a small set of business stakeholders and members of the IT department. Evaluate if the deployment was successful, and if so, move on to step 2.

Roll-out to a larger set of individuals within the business who will be using the add-in. Again, evaluate results and, if all went well, go to the next step of a full deployment.

Full rollout to target audience of users.

Depending on the size of the target audience, you may want to add or remove roll-out steps.

Deploy an Office add-in using the Office 365 admin center

For Single Sign-In add-ins the users and groups assigned will also be shared with add-ins that share the same Azure App ID. Any changes to user assignments will also apply to those add-ins. The related add-ins will be shown on this page.

Note

When the Global admin clicks Save, consent is written for all users in the tenant, not just those that the add-in has been assigned to.

Select the app launcher icon in the upper-left, and choose Admin. TIP: Admin appears only to Office 365 admins.

In the navigation menu, choose Settings > Services & add-ins.

If you see a message on the top of the page announcing the new Office 365 admin center, click the message to go to the Admin Center Preview (see About the Office 365 admin center).

Choose Upload Add-in at the top of the page.

Choose from one of the following options on the Centralized Deployment page:

I want to add an Add-in from the Office Store

I have the manifest file (.xml) on this device: For this option, select Browse to locate the manifest file (.xml) that you want to use.

I have a URL for the manifest file: For this option, type the URL in the field provided.

Select Next.

If you selected the option to add an add-in from the Office Store, you can now make your add-in selection in Select an Add-in. Notice that you can view available add-ins via categories of Suggested for you, Rating, or Name. Only free add-ins are available to add from the Office Store. Paid add-ins aren't supported currently. NOTE: With the Office Store option, updates and enhancements to the add-in will automatically be made available to users without your intervention.

The add-in is now enabled. On the page for the add-in, its status is On, like that shown for the Power BI Tiles add-in in the screenshot below. In Who has access, select Edit to specify who the add-in is deployed to. NOTES:By default, the add-in can't be deployed to anyone until you identify people or groups.Learn about the other states that apply to an add-in. See Add-in states later in this topic.

On the Edit who has access page, select either Everyone or Specific Users/Groups. Use the Search box to find the users or groups who you want to deploy the add-in to.

For Single Sign-In add-ins only:

This page will display the list of Graph scopes that the add-in requires in order to function.

When finished, choose Save, review the add-in settings, and then select Close. You now see your add-in along with other apps in Office 365.

It's a good idea to inform the users and groups who you deployed the add-in to so that they know that it's available. Consider sending an email to them that describes when and how to use the add-in and explains how the add-in can help them do their job better. Include or link to relevant Help content or FAQs that might help if users have any problems with the add-in.

Considerations when assigning an add-in to users and groups

Admins can assign an add-in to everyone or to specific users and groups. Each option has implications:

Everyone: As the name implies, this option assigns the add-in to every user in the tenant. Use this option sparingly and only for add-ins that are truly universal to your organization.

Users: If you assign an add-in to an individual user, then to deploy the add-in to a new user, you will need to first add that user. The same goes for removing users.

Groups: If you assign an add-in to a group, users who are added to the group will automatically be assigned the add-in. And, when a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from you as the admin.

The option that is right for your organization depends on your configuration. However, we recommend making assignments via groups. As an admin, you might find it easier to manage add-ins using groups and control the membership of those groups rather than having to change the users assigned each time. On the other hand, in some situations, you may want to restrict access to a very small set of users and therefore make assignments to specific users. As a result, you will need to manage the assigned users manually.

Add-in states

The following table describes the states that apply to an add-in.

State

How the state occurs

Impact

Active

Admin uploaded the add-in and assigned it to users or groups.

Users and groups assigned to the add-in see it in the relevant clients.

Turned off

Admin turned off the add-in.

Users and groups assigned to the add-in no longer have access to it. If the add-in state is changed to Active, the users and groups will have access to it again.

Deleted

Admin deleted the add-in.

Users and groups assigned the add-in no longer have access to it.

Consider deleting an add-in if no one is using it any more. Turning off an add-in may make sense if an add-in is used only during specific times of the year.

Security of Office add-ins

Office add-ins combine an XML manifest file that contains some metadata about the add-in, but most importantly points to a web application which contains all the code and logic. Add-ins can range in their capabilities. For example, add-ins can:

Display data.

Read a user's document to provide contextual services.

Read and write data to and from a user's document to provide value to that user.

For more information about the types and capabilities of Office add-ins, see Office Add-ins platform overview, especially the section "Anatomy of an Office Add-in."

To interact with the user's document, the add-in needs to declare what permission it needs in the manifest. A five-level JavaScript API access-permissions model provides the basis for privacy and security for users of task pane add-ins. The majority of the add-ins in the Office Store are level ReadWriteDocument with almost all add-ins supporting at least the ReadDocument level. For more information about the permission levels, see Requesting permissions for API use in content and task pane add-ins.

When updating a manifest, the typical changes are to an add-in's icon and text. Occasionally, add-in commands change. However, the permissions of the add-in do not change. The web application where all the code and logic for the add-in runs can change at any time, which is the nature of web applications.

Updates for add-ins happen as follows:

Line-of-business add-in: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.

Office Store add-in: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the add-in will update later in Centralized Deployment. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.

Prevent add-in downloads by turning off the Office Store across all clients

As an organization you may wish to prevent the download of new Office add-ins from the Office Store. This can be used in conjunction with Centralized Deployment to ensure that only organization-approved add-ins are deployed to users within your organization.

Minors and acquiring add-ins from the Store

The General Data Protection Regulation (GDPR) is a European Union regulation that becomes effective May 25, 2018. It gives users rights to and protection of their data. One of the aspects of the GDPR is that minors cannot have their personal data sent to parties that their parent or guardian hasn't approved. The specific age defined as a minor depends on the region where the individual is located.

Regions that have statutory regulations about parental consent include the United States, South Korea, the United Kingdom, and the European Union. For those regions, a minor will be blocked (via Azure Active Directory) from getting any new Office add-ins from the Store and running add-ins that were previously acquired. For countries without statutory regulations, there will be no download restrictions.

A user is determined to be a minor based on data specified in Azure Active Directory. The tenant admin is responsible for declaring the legal age group and the parental consent for that user.

If the parent/guardian consents to a minor using a specific add-In, then the tenant admin can use centralized deployment to deploy that add-In to all minors who have consent.

To be GDPR compliant for minors you need to ensure that one of following builds of Office is deployed in your school/organization.

For Word, Excel, PowerPoint, and Project:

Platform

Build number

Office 2016 ProPlus Monthly for Windows

9001.2138

Office 2016 ProPlus Semi-Annual

8431.2159

Office 2016 for Windows

16.0.4672.1000

Office 2013 for Windows

15.0.5023.1000

Office 2016 for Mac

16.11.18020200

Office 2016 for iOS

2.12.18032600

Office Online

N/A

For Outlook:

Platform

Build number

Outlook 2016 for Windows (MSI)

Build No TBD

Outlook 2016 for Windows (C2R)

16.0.9323.1000

Office 2016 for Mac

16.0.9318.1000

Outlook mobile for iOS

2.75.0

Outlook mobile for Android

2.2.145

Outlook Online

N/A

Office 2013 requirements

Word, Excel, and PowerPoint 2013 for Windows will support the same minor checks if Active Directory Authentication Library (ADAL) is enabled. There are two options for compliance, as explained next.

Don't enable ADAL. If you're unable to enable ADAL in Office 2013, then our recommendation is to use Group Policy to turn off the Store for the office clients. Information on how to turn off the app for Office settings is located here.

End user experience with add-ins

Now that you've deployed the add-in, your end users can start using it in their Office applications (see Start using your Office Add-in). The add-in will appear on all platforms that the add-in supports.

If the add-in supports add-in commands, the commands appear on the Office ribbon. In the following example, the command Search Citation appears for the Citations add-in.

If the deployed add-in doesn't support add-in commands or if you want to view all deployed add-ins, you can view them via My Add-ins.